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Abstract 

In [Pattern Recognition Letters, in press, doi:10.1016/j.patrec.2009.11.008], an image scrambling 
encryption algorithm of pixel bit based on chaos map was proposed. Considering the algorithm as a 
typical binary image scrambling/permutation algorithm exerting on plaintext of size Mx {8N), this 
paper proposes a novel optimal method to break it with some known/chosen-plaintexts. The spatial 
complexity and computational complexity of the attack are only 0(32 • MN) and 0(16 • no • MN) 
respectively, where uq is the number of known/chosen-plaintexts used. The method can be easily 
extended to break any permutation-only encryption scheme exerting on plaintext of size M x N 
and with L different levels of values. The corresponding spatial complexity and computational 
complexity are only 0{MN) and O(no • MN) respectively. In addition, some specific remarks on 
the performance of the image scrambling encryption algorithm are presented. 
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1. Introduction 

With rapid development of digital information technology, image data is transmitted over all 
kinds of wired/wireless channels more and more frequently. Correspondingly, security of image 
data become more and more important. However, the traditional text encryption schemes fail to 
protect image data efficiently due to the big differences between image data and text, such as strong 
redundancy existing in uncompressed image data and its bulky size. In addition, image encryption 
schemes have some special requirements like fast handling speed and easy concatenation of different 
components of the whole image processing system. So, designing encryption scheme protecting 
image data specially becomes an urgent task. Due to the subtle similarities between cryptography 
and chaos, a great number of image encryption schemes based on chaos have been proposed in 
the paste decade [l|, 0, S S 0]- Unfortunately, most of them have been found to be insecure of 
different extents from the viewpoint of modern cryptography 

0,0, BS, HlnllliE Q- For 

more discussion about chaos-based image encryption schemes, please refer to [iSl. Il6l|. 



In [l7l], an image permutation algorithm was proposed by scrambling/permuting binary bit of 
every pixel with pseudo-random number sequence generated by chaotic logistic map. Essentially, 
it is a permutation-only algorithm exerting on a binary image of size M x {8N). The present 
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paper focuses on security analysis of the algorithm and reports the following problems: 1) an 
optimal method is proposed to break the image permutation algorithm under study with some 
known/chosen plaintexts; 2) the method is extended to break any permutation-only encryption 
scheme exerting on elements of any different levels of values; 3) some remarks on performance of 
the image permutation algorithm under study are given. 

The rest of this paper is organized as follows. Section [2] introduces the image permutation 
algorithm under study briefly. Detailed cryptanalysis results are presented in Sec. [3l The last 
section concludes the paper. 



2. The image permutation algorithm under study 

The plaintext encrypted by the image permutation algorithm under study is a gray-scale image 
of size M X N (height x width) , which can be denoted by an M x matrix in domain Z256, 
/ = [I{i,j)]f=Q^j'^(j~^- The image / is further represented as an M x (8A^) binary matrix B = 
[B{i, O]i!fo ^=o^~^) where = Ylk=o -^(^' I) ■ '2'' , I = 8 ■ j + k. The corresponding cipher-image 

is I' = j)]*Zo J^""*^, I'ihi) = Zll=o-^'(^'0 • 2^, / = 8 • j + /c. Then, the image permutation 
algorithm can be described as followq^. 

• The secret key: three positive integers m, n, T, and the initial condition xq € (0, 1) and 
control parameter // € (3.569945672, 4) of the following chaotic Logistic map: 

f{x)=fi-x-{l-x). (1) 

• The initialization procedure: 1) run the map Eq. ([1]) from xq to generate a chaotic sequence, 
^Xk}^^^^^™'^^^^'^"''^^^^^^^ ; 2) generate a matrix Tm of size 1 x M, where SM{TM{i)) is the 
{i + l)-th largest element of Sm = {xra+k}^=i, < i < (M — 1); 3) generate a matrix Tjv of 
size M X (8iV), where, V i G {0, • • • ,M - 1}, SN{TNii,j)) is the (j + l)-th largest element 

^n+{8N)i-\ 

The encryption procedure: 



of Sn = {Xn+(8N)i+k}l'^l ,0<J<N-l. 



— Step 1 ~ vertical permutation: generate an intermediate matrix S* = [-B*(i, Oli^^o i=o^ ^' 
where 

B*{i,:)=B{TM{i),:); (2) 

— Step 2 - horizontal permutation: generate an intermediate matrix & = \B'{i^ Oli^o J=o^~^' 
where 

B'{i,l) = B\i,TN(i,V))- (3) 

— Step 3 - repetition: reset the value of xq with the current state of Eq. ([1]), and repeat 
the above operations from the initialization procedure for (T — 1) times. 

The decryption procedure is similar to the encryption one except that the following simple 
modifications: 1) the different rounds of encryption are exerted in a reverse order; 2) the 
order of Step 1 and Step 2 in each round is reversed; 3) the left parts and right parts of 
Eq ^ and Eq. ([3]) are exchanged respectively. 



^To make the presentation more concise and complete, some notations in the original paper are modified, and 
some details about the algorithm are supplied and/or corrected also. 
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3. Cryptanalysis 



3.1. Known-plaintext attack on the image permutation algorithm under study 

The known-plaintext attack is an attack model for cryptanalysis where the attacker has some 
samples of both the plaintext and the corresponding ciphertext and make use of them to reveal 
secret information, such as secret keys and/or its equivalent ones. 

Apparently, the combination of multiple rounds of the operations in the encryption procedure 
can be represented by an M x (8A^) permutation matrix W = [w{i, 0]f=o ILo' where I) = {i', I') 
denotes the secret position of the plain bit B{i,j) in B'. That is to say, the permutation matrix 
W defines a bijective map on set M x N+, where M = {0, • • • , M - 1} and N+ = {0, • • • ,8N - 1}. 
Once the attacker recover the permutation matrix W and then obtain its inverse VF~^, he can use 
it as an equivalent key to decrypt any cipher-image encrypted with the same secret key. 

Depending on the fact that the secret permutation does not change the values of the permuted 
elements, a general algorithm was proposed in [18] for obtaining the permutation matrix by com- 
paring the values of the elements of some plaintexts and the corresponding ciphertexts. Based on 
the same mechanism, a novel optimal method is proposed here to break the image permutation 
algorithm under study. 

Actually, the proposed method is the construction process of a binary tree, whose every node 
includes five components in order: a pointer holding address of the left child node, PT^; two sets 
containing some entry positions of plain-image and cipher-image respectively; cardinality of one 
of the two sets; a pointer holding address of the right child node, PTr. Denote the two sets in 
the root node with IB and B' respectively, where B = B' = M x N^. Obviously, cardinality of B, 
|B| = 8MN. Then, the binary tree can be constructed as follows. 

• V {i,l) G B, do the following operations: 

add (i, into Bi iiB{i,l) = l; 
add (i, /) into Bo iiB{i,l) = 0. 

• V (i, /) G B', do the following operations: 

add (i, /) into B; if B'{i, I) = 1; 
add (i, /) into B'o [iB'{i,l) = 0. 

• Delete the elements in the two sets of root node and set the fourth item of the node as zero. 

Since the secret permutation does not change the values of the permuted elements, the cardi- 
nalities of the two sets in the two child nodes are always the same. Hence, only the cardinality of 
one set is needed to record. The basic structure of the binary tree is shown in Fig. [TJ With more 
pairs of known-images and the corresponding cipher- images, the binary tree will be updated and 
expanded iteratively with the following steps. 

• Search for all nodes whose third item is greater than one, namely, both the corresponding 
two sets have more than one elements; 

• Expand each found node with the similar operations shown above. 
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Figure 1: Basic structure of the binary tree. 



After construction of the binary tree is completed, let's study how to obtain the estimated 
version of the permutation matrix W from the tree. To facilitate the following discussion, let 
Bj, and |Bj| denote the middle three items of a leaf node, respectively. Apparently, w{i,l) 
can be uniquely determined if and only if |Bj| = 1. Otherwise, one has to guess one from |Bj|! 
possible cases. For the whole permutation matrix, there are n^]^(|Bj|!) possible cases, where P is 
the number of leaf nodes in the binary tree. For simplicity, we derive the permutation matrix by 
mapping the elements in Bj and B- one by one in order. 

Next, let's study how many known- images are enough to achieve an acceptable breaking per- 
formance. Roughly speaking, n^^(|Bj|!) decrease greatly with the number of known-images, no, is 
increased. The less value of n^^(|Bj|!) means more accurate estimation of the permutation matrix. 
To simplify the analyses, we assume that each element in B distributes uniformly over {0, 1}, and 
any two elements are independent of each other. Then, the elements of Bj can be divided into the 
following two types: 

• the sole right position, which occurs definitely; 

• other fake positions, each of which occurs in Bj with a probability of 1/ 2"" , since one condition 
in Eq. ^ is satisfied consecutively for no times. 

Let ng denote the number of error bits in a recovered pixel, it can be calculated that Prob{ns = 
i) = (^) • (1 -pbY ■ {Pbf~\ where pb = i^(i<,MN^i)/2^o ' i = ~ 8. Generally speaking, when every 
bit is determined correctly with a probability larger than a half, namely ph > 0.5, the decryption 
will be acceptable. Solve the inequality, one has 



no > riog2(8MiV-l)l. 



(5) 



To verify the performance of the above known-plaintext attack, a number of experiments have 
been performed on a number of random-selected natural images of size 256 x 256. In this case, 
Eq. dS]) become no > [log2(2^^ — 1)] = 19. With a random selected secret key {xq, fi,m,n,T) = 
(0.2009,3.98,20,51,4), a plain-image "Peppers" and its encrypted version are shown in Figs. [2^) 
and b), respectively. Let W20 and W25 denote the estimated version of the permutation matrix W 
obtained from 20 and 25 known plain-images, respectively. The decrypted version of Fig. [2)3) with 
W2Q and W25 is shown in Figs. [2}:) and d) respectively. It is found that most visual information 
contained in the original plain-image has been recovered in Fig. [2}:), although only 23509/65536 ~ 
35.8% of plain pixels are correct in value. This is attributed to the following three main reasons: 



among the incorrect pixels, the percentage of ones has only one incorrect bit is 27349/ (65536— 
23509) ^ 65%; 
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• human eyes have a powerful capabihty for excluding image noises and recognizing significant 
information; 

• due to strong redundancy in natural images, two pixel values are close to each other with 
a probability larger than the average one, so many incorrectly recovered pixels are close to 
their true values with a probability larger than the average one also. 

Distribution of difference between the recovered plain-image shown in Fig. and the corre- 
sponding original plain-image is shown in Fig. [3^) . The similar data on the recovered plain-image 
shown in Fig. [2]1) is also illustrated in Fig. [8)3) for comparison. With some noise reduction schemes, 
the recovered plain-images can be enhanced further. The results of two images shown in Figs. ^) 
and d) with a 3 x 3 median filter are shown in Figs. H^) and b), respectively. 




c) d) 

Figure 2: The image "Peppers" recovered by know-plaintext attack: a) "Peppers"; b) the encrypted "Peppers"; c) 
recovered "Peppers" via W20', d) recovered "Peppers" via ^25- 

Figure [5] shows the percentage of correctly-recovered elements, including plain-bit, plain-pixel 
and the elements of permutation matrix, with respect to the number of known plain-images. One 
can see that the breaking performance is good when no > 20. It can also be noticed that the slopes 
of the three lines shown in Fig. [S]are very flat when no > 25. This is due to the negative impact 
incurred by the strong redundancy in natural images, such as the MSBs of neighboring pixels are 
the same with a high probability. This point has been proved quantitatively in [l^. Now, one 
can see that the non-uniform distribution of most natural image has two opposite influences on 
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Figure 3: Distribution of difference between two recovered plain-images and the original plain-image: a) the one 
shown in Fig. [2};); b) the one shown in Fig. [2Jl)- 



the final breaking. The experiments have shown that the above analysis result obtained under the 
assumption of uniform distribution is also hold for the case of ordinary natural images. 




Figure 4: The enhanced results of two recovered plain- images by a 3 x 3 median filter: a) the image shown in Fig.[2j;); 
b) the image shown in Fig. ^]p) . 



Obviously, the spatial complexity and the computational complexity of the proposed known- 
plaintext attack are only 0(32 • MN) and 0(16 ■ no • MN) respectively. 

3.2. Chosen-plaintext attack on the image permutation algorithm under study 

The chosen-plaintext attack are an attack model for cryptanalysis which assumes that the 
attacker has the capability to arbitrarily choose some plaintexts to be encrypted and observe the 
corresponding ciphertexts. The goal of the attack is to optimize the attack performance considering 
the special properties of the encryption scheme under study. 
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Figure 5: The percentage of correctly-recovered elements with respect to the number of known plain-images. 



As for the image permutation algorithm under study, at least Uc = [log2(8MA^)] = 3 + 
[log2(MA^)] chosen plain-images are needed to make cardinality of the set in every leaf node of the 
binary tree for breaking is equal to one, namely, every element of the permutation matrix can be 
recovered exactly. First, construct an M x (8A^) matrix in domain Z2nc , = [B~^{i^ Oli^o l^^o^"^' 
whose elements are different from each other. Then, the chosen plain-images {/(}^q^ can be 
chosen/constructed as follows: 

where ^"^g ^ B^{i, • 2* = B+{i, l),l = 8-j + k. 

3.3. Known/ chosen-plaintext attack on any permutation- only multimedia encryption schemes 

As shown in [l8^, no matter what are the permuted elements of multimedia data, all permutation- 
only multimedia encryption schemes on a plaintext of size M x N can be represented as 

P{w{i,j))=I{i,j), 

where the permutation matrix W = [w{i,j) = {i',j') G M x N]^^^^, M = {0, • • • ,M — 1} and 
N = {0, ■ ■ ■ ,N — 1}. Then it was analyzed that permutation-only multimedia encryption can be 
broken with only O {\logi {MN)~\) known/chosen plaintexts, where L is the number of different 
elements in the plaintext. The breaking method proposed in [l^ . Sec. 3.1] includes the following 
three key steps: 

• Step 1 : obtain a set containing all possible secret positions for each entry of the plaintext by 
comparing every pair of plaintext and the corresponding ciphertext; 

• Step 2: solve the intersection of the different sets corresponding to each entry of plaintext; 

• Step 3: get an estimated version of the permutation matrix by choosing a secret position of 
an entry plaintext from the final set corresponding to it. 
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The operations in Step 2 make the computational complexity of the above attack become 
O(no • MN"^). It is found that the complex intersection operations can be avoided by extending 
the idea proposed in Sec. 13.11 namely constructing a multi branch tree, whose every node include 
2^ + 3 components: 2^ pointers holding addresses of 2^ possible child nodes; two sets containing 
some entry positions in plain-image and cipher-image respectively; cardinality of one of the two 
sets. Let B, B', and |B| denote the last three items in the root node. Initially, set B = B' = M x N, 
and |B| = MN . Then, the multi branch tree can be constructed as follows. 

• ^ {hj) £ 18, add («, j) into the first set of the child node to which the /(z, j)-th item of the 
current node point; 

• V («, j) G B', add (i, j) into the second set of the child node to which the /'(«,j)-th item of 
the current node point. 

• Delete the elements of the sets in the root node and set the last item of the node as zero. 

With more pairs of known/chosen plain-images and the corresponding cipher- images, the multi 
branch can be updated and expanded iteratively with the following steps: 

• Search for all nodes whose last item is greater than one; 

• Expand and update each found node with the similar operations shown above. 

Once construction of the multi branch tree is completed, the permutation matrix W can be 
estimated by simply mapping the elements in the two sets of every leaf node in order. 

Finally, combine the performance analysis of the known/chosen-plaintext attack presented in 
[l^ , we can conclude that any permutation-only multimedia encryption schemes exerting on plain- 
text of size M X N can be efficiently broken with 0{\logi{M N)']) known/chosen-plaintexts, and 
spatial complexity and computational complexity of the attack are 0{MN) and 0(no • MN) re- 
spectively. 

3.4- Some remarks on the performance on the image permutation algorithm under study 

• Weak randomness of vectors Tm oind T^r 

Obviously, randomness of vectors Tm and T^r depends on randomness of the sequences 
generated by iterating Logistic map. Note that convincing argument for good randomness 
of a sequence is not the so-called complex theories based but whether it can pass a series of 
objective tests [l^. As shown in [20, Sec. 3.1], Logistic maps cannot serve as a good random 
number generator. This point can also be guessed by observing distribution of the trajectory 
of Logistic map, which is mainly determined by the control parameter [21]. For illustration, 
distribution of two trajectories of Logistic map with the same initial condition and control 



parameter used in 17|, Sec. 2] is shown in Fig. [6l 
Fail to encrypt image of fixed value zero 
Insensitivity with respect to changes of plaintext 

Sensitivity with respect to changes of plaintext is very important for any image encryption 
scheme since an image and its watermarked version may be encrypted at the same time. In 
cryptography, the most ideal state about the sensitivity is that the change of any single bit 





a) 



b) 



Figure 6: Distribution of two trajectories of the map Eq. ([1} with control parameter /i = 3.5786: a) xo = 0.3333; b) 
xq = 0.5656. 

of plaintext will make every bit of the corresponding ciphertext change with a probability 
of one half. Unfortunately, the image permutation algorithm under study does not consider 
this property at all. 

• Equivalent sub-key 

Since f{x) = /(I — x), xq and (1 — xq) are equivalent sub-keys for decryption. 

• Unchanged histogram on plain-bit 

Although the histogram on plain-byte is changed by the image permutation algorithm under 
study, the one on plain-bit keep unchanged, which make the cipher-image still reveal some 
information of the plain-image. 

• Low efficiency 

The generation method of permutation matrixes Tm and T^r make the computational com- 
plexity of the image permutation algorithm under study is 0{M ■ (8A^)^), which is even much 
larger than that of DES. 



4. Conclusion 

In this paper, the security of an image permutation encryption algorithm is analyzed. An op- 
timal method, in term of spatial complexity and computational complexity, is proposed to break 
the binary image permutation algorithm. Furthermore, the method can be extended to break any 
permutation-only multimedia encryption schemes with an optimal performance also. In addition, 
some specific remarks on the performance of the image scrambling encryption algorithm under 
study are provided. Again, this cryptanalysis paper proves that the security of a good image en- 
cryption scheme should rely on well combination of traditional cryptography and special properties 
of image data, like the schemes proposed in 
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